Run Your Own Server Podcast Episode 02: The OS Show
, software how-to
, technology/software how-to
, training Share
RYOS, Episode 2 - The OS Show
Thud: The RunYourOwnServer podcast for June 7, 2006.
Thud: In this episode, "The OS Show", open source licenses, the Linuxes, The BSDs, and a moment of sec.
Thud: This episode's reverse sponsor is the FreeBSD project. FreeBSD is an advanced operating system for x86-compatible systems. It is derived from BSD, a version of Unix developed at the University of California, Berkeley. It is developed and maintained by a large team of individuals. Find out more a freebsd.org.
Thud: In this episode we want to introduce you to some of the operating systems we like for servers. Since Seg is wasting time with sleep, it's just Gek and me for this episode. So let's get started.
OK, so Gek, why would you want to use an open-source software as an operating system?
Gek: Me personally, like I said before, I'm an information junkie. I do like the idea of being able to look at the source code and see how something is working. There are lots of arguments for the security you gain by being able to look at the actual code that you're running. I don't usually go that far and I'm not as well versed in C as I am in other languages, but I do like learning from the people who write the open-source software. And with an OS, you get a lot more information than you do with just, say, a mail app.
Thud: Yeah, I pretty much have to agree with that. One of things that I like about open source is that there's only people working on it that really like what they're doing. So, if there's somebody who's interested in networking, for example, they could be working on the network-driver part of it. It's not like in a corporate environment where they hire 20 programmers and tell them, "OK, you're going to write this part and you're going to write that part," They pretty much get whatever they're get stuck with.
In open-source software, you work on whatever program you want, and you work on the sections of it that you really like, and if you have a project that you work on but you don't like the way that it's written, you can start your own project that does the exact same thing, but it's all your own code.
For the large projects like a full operating system, there's just so many people working on them, it would be really hard for somebody to plant a trojan or something like that into an open-source operating system. It's been done before, but with so many people working on it -- so many eyes on the code -- it would be really, really difficult to hide something like that.
Thud: Where, in if you take a product like -- Excel is a good example. A few years ago, Microsoft Excel had a full flight simulator that was built into it because one of the programmers decided to put it in. That's a lot of extra code that they really didn't have to do.
Gek: Yeah, it's certainly something that -- something I take into account is that there's so many eyeballs looking at the code, and it's also, like you said, people who really do enjoy what they're doing. They want to be proud of it. They want a product -- I mean it's not even a product to them -- but they do want an end-product that they can be proud of and that other people will enjoy using.
Thud: OK, so one of the things about open source is that there are different kinds of licenses. Specifically on operating systems, there's quite a disparity between the licenses. Even though it's free and it's open source and you can modify it, there are just different camps for how people want to let you use their software. So that's the next section, we're going to talk about licenses. The first one is GNU, and GPL.
So tell us a little bit about that, Gek.
Gek: Basically, the GNU-GPL license was designed to enforce free software on anybody who uses that software that was written with that license. So, if I write a program to replace Outlook -- to send mail, receive mail -- if I write that, and somebody else comes along, company or otherwise, and tries to use my code for some new project, they have to keep that GPL license, they have to bring that license along with the code. The idea being that you've forced somebody to keep the software free and the source code open.
Thud: OK, the next license -- there's actually many, many different licenses that are all kind of related -- but the GPL and the next one, which is BSD, are the two main ones. A BSD license is similar to the GPL in the fact that you can use the code. The difference is that the license specifically says that you can use the code for anything. If you want to take the code and write a commercial package and never contribute back to the open-source project, you can do exactly that.
In fact it's been done before. Microsoft's TCP stack for their networking internals for their operating systems, for a long time, was actually based on a BSD-licensed stack, as was the Linux version of TCP. Just about every operating system was based on a BSD-licensed version of the code.
Gek: Also, Mac OS borrowed FreeBSD for their basis for the Tiger OS.
Thud: Yeah, exactly. There's a lot of BSD code out there that was developed by open-source developers, that are now in commercial packages, that are running large portions of the Internet, desktops -- it's really all over the computer world.
So, the next section we're going to talk about is the differences between the major open-source operating systems. One being Linux -- there's actually a variety of those -- and the other being BSD, which is different than the BSD license, though the BSD license was designed for the BSD operating systems. So, on the Linuxes, like I said, you have a number of different distributions. The big commercial one, of course, is Red Hat. You also have Knoppix and a bunch of others.
On the BSD side you have FreeBSD, OpenBSD, NetBSD -- all three separate projects, but all originally based on the same code.
So, Gek, can you tell us just some more detailed things about general Linux, not distribution specific?
Gek: A lot of the differences between the Linux distros are their philosophy on the licenses, which is why the licenses are so important. Red Hat tries to keep most of the software that they use GPL, and they don't like including other licenses in their distro.
So, for some distributions that's actually how they decide whether something can be included. Where other distros don't really care, they'll use whatever. Knoppix is one of the distros where they don't mind using something that has a propriety license. They're more interested in functionality because they're a live CD. They're trying to expose people to Linux and they don't want the obstacles of licensing to get into people's way.
Thud: The differences between the BSDs are pretty much the same thing, it's more of a religion than anything. The three main ones, as I said before Free BSD, OpenBSD, and NetBSD, have completely different goals and different ideas of how to meet those goals.
FreeBSD for example is really really good about performance, they do everything they can to make it as fast as possible on the widest range of hardware. OpenBSD is security. They will actually do things that slow down processing to make it more secure, to make it harder for hackers and viruses and things like that to affect a system.
NetBSD, their main goal is really run on everything. NetBSD provides and their development tree most of the bases for drivers that end up in the other operating systems. If there's a brand new piece of hardware coming out, whether it's a network card or a SCSI card or even a sound card, a lot of times the first open source operating system that has a driver for it is NetBSD and then the others adopt it, modify it, add onto it. So, that's what NetBSD is all about.
And the licenses, as you were saying before, the license differences are pretty interesting. FreeBSD, they don't really care that much about the licenses, as long as it's free, if it's GPL or BSD. OpenBSD and the guy who is the head of the project, his name is Theo, is very specifically trying to get rid of all non-BSD licensed code on their systems. They're obviously going to have problems with certain things, because GPL code is just everywhere on the Unix community. But, if they can have somebody internally within their project write a replacement for something is that used to GPL, but because there are writing a replacement from scratch, can now be BSD, that's what they try to do.
Gek: It should also be pointed out that one of the biggest differences between Linux and BSD is that all of the Linux distributions use the same kernel. Now, certain distributions may apply patches to that kernel and modify the base kernel, but they all run the same Linux kernel that comes from Linus and his team.
The BSDs are completely different. Each of the BSD projects, the main three ones the OpenBSD, NetBSD, and FreeBSD projects, they all run their own kernel. They write their own kernel, they have their own kernel teams. There are projects that stem from those, like DragonFly BSD and PC-BSD. But that's one of the core differences is that the BSDs do use -- each project uses it's own kernel. And all Linux distributions share the same kernel.
Thud: Yeah, that is an important difference. And with BSD it's interesting now because they've been separate projects for so long, but each project basically built on the previous project. NetBSD was the original project and FreeBSD started with kernels from that that they've modified and added code to, and now they're completely different.
OpenBSD was the same thing. It started with NetBSD code and because of differences of ideas of how to write software and what an operating system should be, they peeled off from that BSD and started their own. And now they're similar, but they're definitely different. Their kernel code is completely incompatible now, between them.
Let's go into a little bit more detail with the Linux distributions, specifically the most common ones which are Red Hat based. So, you have Red Hat, CentOS, and Fedora. Gek, do you want to tell us a little bit about the relationship between Red Hat and Fedora which are the two major ones?
Gek: They have no relationship, they're no correlation at all. They're completely separate projects. No. Fedora is a project that Red Hat started. They don't control it anymore, but they use it to test the software that they put into the Enterprise Linux.
They made the Fedora project so they could continue a free version of Red Hat and they really did want to focus on the corporate support and Ret Hat Enterprise Linux. CentOS was a result of that. People decided they didn't really like the idea of Fedora where everything was going to be bleeding edge, they wanted the stability of Red Hat. So, the CentOS project takes the source code from Red Hat, the stuff that Red Hat develops for Red Hat, recompiles it, rebundles it, and basically releases the same thing you get with Red Hat Enterprise Linux. The only thing you don't get is the Red Hat support.
Thud: That's pretty interesting. If I remember correctly the way CentOS is able to do that from a legal standpoint is that Red Hat releases the source code for all the commercial products, save one or two packages that they actually have different licensing for, but they release all the source code. So CentOS takes that source code and compiles it into binary and you can use it like a normal system.
Gek: Yeah, and I think the reason Red Hat has to do that is because most of that software that CentOS has access to is covered under the GPL, so again the license carries over and they have to release it.
Thud: So, tell us a little bit about Red Hat and CentOS's and Fedora's way of doing packages and software installations.
Gek: They all share the same mechanism, doing an RPM bundle. Which, basically, is a very advanced tarball of the files that you need to either compile the program or a pre-compiled binary that's distributed for your architecture, whether you have an Intel or Sparc or whatever your CPU is. The thing that I like about RPMs is you can upgrade an RPM. So, for your own package management, if you were designing an application for your own company, instead of just having to recompile everything on each of the boxes you can make an RPM, copy it to each box, just do a RPM upgrade, and now you've got all the boxes up to date.
Thud: Yeah, it's makes it very easy to do software installations or upgrades because it's all binary based. A lot of the software in the UNIX world is, "Download the source code and compile it," which, depending on the software package, could take hours. With RPM it's all done with binaries, so it makes it much, much easier. Now that we've covered the Red Hat Linuxes and all the related Linuxes that are based on it, let's talk about some of the other distributions, because there is quite a difference between them, even though they have the same kernel. I actually don't have any experience with Debian, it's the first one of the list. Gek, why don't you go into that a little bit.
Gek: OK. Debain is a pretty popular package. I know for a fact that outside of the US, it's extremely popular. It has its own package management system that's called APT and they use Debain packages,.deb files. They work very similar to RPMs, I don't know exactly how the files are structured, but you can basically go to the command line and if you want to download a package, say you want to install Postfix on your box you just do "apt-get postfix" and it'll bring Postfix down and you'll have Postfix mail server running on your box. I believe there is also a GUI now called, I want to say it's called Synaptic, but I'm not positive, that you can use if you're not comfortable with the command line.
Thud: Yeah, and from what I understand, they actually have a variety of repositories, so for a Red Hat based system that's RPMs, for the most part you have to deal with RPMs provided by either Red Hat directly or the projects CentOS or Fedora, where you have to find somebody out there who's taken their software and built it into RPMs, which there area a lot of. But, Debian's package system is set up in such a way that there's many, many different repositories with many different versions of software all compiled in different ways for different things. There's a lot more software available for it if I understand it right.
Gek: Yeah, I think that the number of packages -- Fedora seems to be going towards the goal of being like Debian in terms of how many packages are available, but I think Debian is still the distribution with the largest number of packages available.
Thud: Yeah, so if you want to try a wide variety of software, Debian sounds like the place to go.
OK, so the next project we're going to talk about is Ubuntu, and I happen to know that Gek, you ran it for a while and I think you gave it up at some point, but tell us a little bit about your experience with it.
Gek: I really, really like the idea of Ubuntu. I think that this is a great project. The reason I did give it up was because I had problems when I was trying to do an upgrade one time, and I just decided I would switch to FreeBSD and use that for a while. The Ubuntu project is extremely cool. They actually pay to have problems fixed. So if they know of some limitation with fetchmail, they actually put up a $25, or $50, or $100 reward, depending on how big a problem it is. If you're a developer, you can actually go and claim that reward if you fix the problem.
They also are real heavy into Python, which is something I'm a huge fan of. So most of the projects that they sponsor they want written in Python. That was another reason why I was using it. They're trying to use the GUIs that Linux has available to make the end user as comfortable as possible. So if somebody's switching from Windows to Linux, they don't feel like they're jumping into something completely alien. It's easy to use. They really do want to make it so that the average person who's not a tech can pop in the Ubuntu distro, install it and use it and feel comfortable in it, day one. That's one of the things I liked about it.
Thud: Yeah, that is actually a pretty cool way of running a project. I wish a lot of other OS's would offer cash rewards for bugs.
Gek: So Thud, Knoppix is a live CD distro, tell us a little bit about it.
Thud: Well, the difference between it and the other distributions is the other distributions are designed to run on a machine off of the hard drive, as a server or workstation or what-have-you. Knoppix was originally designed, and still is, a CD-only distribution, so everything you need is on the CD, or you can even do it on a USB drive now. The idea is is that you just carry it around with you. You can pop it into any machine, boot off of it, do what you need to do -- check your email, surf the web, do whatever -- and you don't have to worry about it.
Depending on how you want to set it up, you don't have to even save anything to the hard drive. If it's only temporary things, or you're doing everything remotely, it doesn't even affect the machine that you're on. So you could put it in a Windows machine, boot off of it, use it, and reboot the machine into Windows, and the machine's hard drive hasn't changed at all.
You also have the option of setting it up so that it can save data. But the really cool thing about it is if there's ever a security issue, or worm going around or you get a virus, all the data's on the CD. You can't write to the CD so it doesn't get infected with anything. That's one of the reasons why a lot of security tools that are operating systems based on Knoppix with additional security tools added, so there's a complete package to do network scanning or exploit testing, things like that, it's all based on a CD that you can just boot off of on just about any machine.
Gek: I have to say I have actually played around with the ability to remaster your own Knoppix CD, and that's pretty cool too, but I think it's a little more than I needed. The idea, again, is that you can reuse it, you can change it to work for you, and that's following the whole open source philosophy.
Thud: All right, the next section is on the BSDs, specifically OpenBSD and FreeBSD. At least I haven't really used NetBSD that much. I've found that anything I need to do I can do with OpenBSD or FreeBSD. So we're going to lightly touch on that BSD. As I said, they're all related, so they're set up kind of the same way. On a surface anyway, there's not a whole lot of difference. There's a lot of behind-the-scenes differences.
Gek: So Thud, tell us about OpenBSD.
Thud: OK, so, OpenBSD's main goal is security. That's one of the reasons why in the way they build their system, everything is security minded. They only include things in the default package and in the default install that they feel you really, really need. There are a few things they add that you probably don't need but they're off. They're installed but they're not running. That's one of the reasons why they can actually stand behind the claim on their website that they've had one remote hole in their security in the last eight years. I don't know of any other operating system that can say that with the confidence that OpenBSD can.
So Gek, tell us a little bit about what makes FreeBSD different from OpenBSD.
Gek: Well, FreeBSD isn't really concerned so much with security. Like all open source distributions, operating systems they are concerned, but they're more concerned about speed. They really seem to be trying to get the fastest OS that they possibly can, and to that degree they've been pretty successful which is why a lot of major websites for a very long time were running on FreeBSD. I know that Yahoo used FreeBSD, I don't know if they still do. I'm pretty sure Hotmail used to run on FreeBSD, even while Microsoft owned it, briefly, before they switched it to IIS.
The project is designed to work on as many different platforms as they can get it on. They're trying to do cutting edge features. They like to put in new things like the jailing mechanism that they have is pretty neat. They also had multiprocessor support, I believe, before the other BSDs did. Maybe Net had it first. FreeBSD is easy to install and absolutely free. They have a great team. They have a pretty large team and it is larger than OpenBSD's team. But there is an argument to be made that a larger team isn't necessarily better.
Thud: OK, so with Red Hat you have RPMs for doing software installs and upgrades., Debian you have Debian packages, Ubuntu you have their way of doing updates. What is there for FreeBSD?
Gek: FreeBSD has ports and packages. Two different mechanisms that basically accomplish the same thing. Ports is a collection of source code that lets you go and look through a through a tree structure, basically, like browsing a list of applications.
If you wanted to get a mail program, there is an actual mail directory in ports, you go in there, you do an ls and you can find all these different mail applications, and each one of those directories has another file in there and there it describes what that project is, what it does. Then, you can just basically do make install and it will download the source code, apply FreeBSD's patches and then build the compiled program for you.
The great thing about ports is -- if there is any dependencies that you need, if there are other program that have to be downloaded and installed also -- that all happens automatically. Portupgrade is a way of managing things you have already installed where you can just say, "I need upgrade all of the ports ever installed so far." It will go through, figure out what you have, download the packages if there are updates, recompile them and reinstall them.
I know that you have some familiarity with OpenBSD's ports and packages. Can you tell us a little about that?
Thud: Yeah, it is based on the exact same system. They have ports, which is source code, and they have packages which pre-compiled binaries, basically a tarball that gets installed. The way that they do is if you install something in ports, you compile it, again, it goes and grabs all the dependencies and then, it creates the package. Then, they run their package installer to actually install the finished package.
For this episode's moment of sec, we are going to talk about a little bit security on all of these different operating systems. There is just some common things that you can do. One of the best thing you can do is turn off services that you are not using.
Gek: I usually go through and turn off a lot of stuff on Red Hat or CentOS. They include services that have to do with NFS. If you are not using the server as an NFS server, you don't need many of the services that start up by default. There is, really, you just have to go through and do mental checklist and say to yourself, "I am going to use this server for a web server and nothing else." Then, you do not need anything else. You can turn almost everything else off.
You still have to leave mail on but you can configure it that it won't accept email from the outside world. There is a lot of thing that you just have to go through with Red Hat, CentOS and Fedora, you can run chkconfig and you can get a list of the services that are installed on the box and even turn them off for that same command.
Thud: Yeah, that is one command in Red Hat and the like that makes it extremely easy to see what is running in and what is not. Conversely on OpenBSD, there are actually a number of different ways that programs can be started. There are three or four different places you have to check, to see whether or not there are services that are starting that you do not need.
Gek: FreeBSD is the same way. Another thing that you can look at is file permissions. A lot of the OSs, by default, don't have very restrictive permission on their files. Once you get a better feel of what users actually need to access to, if you are going to allow users to login into your box remotely, you should definitely take a look at file permissions and see what you can change to lock down the box.
You don't want your users going into the /etc directory at all, if you can help it.
Thud: Yeah, I have to agree with that. Locking down the file system is a very good place to start for security on any of the operating systems. Especially, if you are going to allow other people that you do not trust access to the box.
Gek: I do not trust anybody.
Thud: Yeah, I do not trust myself.
Gek: That must be some interesting file permissions, then.
Thud: Yeah, I pretty much do an install and then format everything.
Gek: [laughter] So in closing, I just want to say, I really think the best thing to do is to choose your OS, is go and try the major distributions the Linuxes, Red Hat, CentOS, Fedora. Debian, Ubuntu, I don't prefer them for servers but you should definitely look into them, they have merit. Just go through play with them, find which one fits the way you want to manage your servers and then learn how it works. What do you think, Thud?
Thud: I definitely have to agree. The same with the BSDs, just try them all, figure out which one you feel most comfortable with and stick to it. Because whatever you feel most comfortable with, you are going to learn more and just continually use it. If you use it all the time, you are going to get better and better at it and be more and more comfortable with it. It really does not matter when it comes down to it. They are all UNIXs, they are all going to run the same software. It is really just a matter of trying them out, figuring out which one feels right for you, the operating system you feel most comfortable on, and it just build on top of that.
I prefer OpenBSD because it comes default, it comes locked down. You have to literally turn everything on to get anything to work. A lot of the Linux distributions are the opposite way. They include a lot of stuff to make it easy for people just to do an install and everything works, but if you want to lock it down, you can. You can make Linux just a secure as OpenBSD, you can do with any operating system. I mean, technically you can make Windows as secure as any UNIX system. You just have to unplug it.
Gek: And turn it off. [laughter]
Thud: Turn it off and wipe the hard drives. It's really just a matter of figuring out which one you feel most comfortable with and just using that one. I have used Linux for web servers, database servers, and mail servers in the past. I just prefer OpenBSD today. Six months from now maybe something completely different.
Gek: I have to agree. I think what is more important is how easily you can manage it and how comfortable you are, because ultimately, no amount of security is going to work without you being the person that says, "This can't happen because this is insecure." There has to be human element making the decisions.
And the OS, like you said, Open is a great place to start, especially if you are not comfortable with security. But it also more cumbersome because of that, you have to turn things on. FreeBSD, I think, has most things on by default. It might not be the best place to start if you are looking for security. Like you said, anything will really work, you just need to learn how to lock it down and prevent people from getting into the box.
Thud: For show notes or other details, please visit our website at runyourownserver.org.
If you would like to send us feedback or have questions you would like us to answer on the show, please send an email to podcast att runyourownserver.org.
The intro music, "I Like Caffeine" is by Tom Cote. This song, "Down the Road" is by Rob Costlow. Please visit our website for links to their websites.
This podcast is covered under a Creative Commons license. Please visit our website for more details.